Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Java Oracle Security The Internet

Adobe: Click-to-Play Would Have Avoided Flood of Java Zero-days 111

mask.of.sanity writes: Oracle could have saved mountains of cash and bad press if Click-to-Play was enabled before Java was hosed by an armada of zero day vulnerabilities, Adobe security boss Brad Arkin says. The simple fix introduced into browsers over the last year stopped the then zero day blitzkrieg in its tracks by forcing users to click a button to enable Java.
This discussion has been archived. No new comments can be posted.

Adobe: Click-to-Play Would Have Avoided Flood of Java Zero-days

Comments Filter:
  • by slashdice ( 3722985 ) on Thursday October 16, 2014 @09:59AM (#48158991)
    how's them apples?
    • by i kan reed ( 749298 ) on Thursday October 16, 2014 @10:02AM (#48159031) Homepage Journal

      That's why we all have flashblock, right?

      • by bill_mcgonigle ( 4333 ) * on Thursday October 16, 2014 @12:43PM (#48160945) Homepage Journal

        That's why we all have flashblock, right?

        This is actually a problem. I've been running Flashblock, then NoScript, for probably 8 if not 10 years. The problem was well-known then, and Google and Netscape (and Safari?) did something about it a year or two ago.

        I miss the days when browser vendors weren't afraid to rapidly innovate and take bold, important steps. For all that time, the Internet was much, much less safe for their cowardice.

        • by Anonymous Coward on Thursday October 16, 2014 @03:58PM (#48162949)

          I miss the days when browser vendors weren't afraid to rapidly innovate and take bold, important steps.

          That's crazy talk. Browser vendors *are* innovating. Why just yesterday my computer automatically upgraded to Firefox ESR 31. I was surprised to discover in this new version that Mozilla has rearranged the browser display and hidden more options and buttons behind a single menu button. If you thought it was easy to get to a button with a single click, just wait until you have to make several more clicks to do the same thing. Now that's innovation and forward thinking!

          And I can't forget to mention that the browser tabs now have rounded edges. Browser vendors are at the cutting edge of innovation, bringing the public the things they need most. You just weren't paying attention.

        • "I miss the days when browser vendors weren't afraid to rapidly innovate and take bold, important steps."

          FWIW, when they do that most people on Slashdot complain. Damned do/don't, and all that.

      • by antdude ( 79039 )

        I dumped it after Mozilla added start plugin on demand options.

      • Nah, I use NoScript. It's a bit of a pain, but I really don't like random people running programs of their choosing on my computer, no matter in what language or interpreter/compiler.

    • Speaking of Apples ... Safari already requires you to click to play Flash OR Java.

    • by kmoser ( 1469707 )

      how's them applets?

      FYFY

  • by Anonymous Coward on Thursday October 16, 2014 @10:00AM (#48158993)

    Adobe isn't exactly in the best position to be lobbing stones at others' houses of security.

    • by Anonymous Coward

      My software is more secure than yours, especially when it is not run by users. *facepalm*

    • by rnturn ( 11092 )

      ``Adobe isn't exactly in the best position to be lobbing stones...''

      I cannot recall a single vulnerability assessment meeting at work where an Adobe product didn't come up.

    • by sootman ( 158191 )

      People who live in flash houses.... :-)

  • by MCROnline ( 1027312 ) on Thursday October 16, 2014 @10:00AM (#48158995)
    ...is such a beautiful thing.
  • by Lilith's Heart-shape ( 1224784 ) on Thursday October 16, 2014 @10:00AM (#48159003) Homepage
    Click-to-Play makes flash videos better by making them less useful as advertisements. Content like Flash and Java should always, always require the user's consent before running. There's no excuse for doing otherwise. Any code that doesn't await the user's consent before running is malware, and should be handled as such by any means available.
    • I totally agree...

      That's why the browser I use for regular surfing doesn't have Flash, Java, Shockwave, or Silverlight.. and I browse with all scripting turned off and only enable the scripting needed to make the page work IF I trust the site.

      If I run into content I want - Netflix, a Youtube video, or some other similar thing, I switch to Chrome where I have those installed.

    • Re: (Score:3, Funny)

      by countach ( 534280 )

      You realise the web site you are typing into now uses Javascript, and therefore you have just classified it as malware, right?

      • by Anonymous Coward on Thursday October 16, 2014 @10:21AM (#48159265)

        If you think Java is JavaScript then you're wrong. And on the other hand, if you think JavaScript on Slashdot is "code that doesn't await the user's consent before running", I'd say you give consent for Slashdot to run JavaScript when you visit the site. Any third party JavaScript, however, is quite often pretty close to spyware/malware, but there are tools such as NoScript and Ghostery to limit when and how these scripts are run if they're even run at all.

        • I know Java isn't Javascript, but no web site awaits consent before running Javascript. Slashdot basically wouldn't work en-toto without javascript. Back in the old days it would have, but not now.

          The problem with this article is that I'm sure Oracle wanted Java to be more like the web's javascript, running by default and running everywhere. Unfortunately it was just a bit too bloated (and as it turns out, buggy) for the world to accept this proposal, and yet the world is perfectly happy to run javascript c

        • by tepples ( 727027 )

          Content like Flash and Java should always, always require the user's consent before running

          You realise the web site you are typing into now uses Javascript

          If you think Java is JavaScript then you're wrong.

          JavaScript is "like Flash and Java" to the same extent that Java is "like Flash".

          I'd say you give consent for Slashdot to run JavaScript when you visit the site.

          If visiting a web site implies JavaScript consent, then why doesn't it imply SWF or JVM consent?

          • by Sigma 7 ( 266129 )

            If visiting a web site implies JavaScript consent, then why doesn't it imply SWF or JVM consent?

            Plugins such as SWF, JVM or ActiveX imply having better access to the system (e.g. clipboard, save files to disk, etc.) than regular JavaScript (which is supposed to be limited to the browser). Plugins wouldn't have been necessary if JavaScript can do anything the plugin could. The situation may changed since the introduction of plugins and Javascript, but the implication remains the same.

            That, and because I s

            • by tepples ( 727027 )

              Plugins such as SWF, JVM or ActiveX imply having better access to the system (e.g. clipboard, save files to disk, etc.) than regular JavaScript

              The system integration exposed to JavaScript programs by the HTML DOM has increased dramatically in the HTML5 era. It now has clipboard manipulation *cough*Tynt*cough*, an API to read and write user-selected files, etc.

            • The original idea of Java in the browser was that it would be sandboxed, that applets would run only in the browser, and therefore that it was safe. I suspect Flash had the same intentions behind it. ActiveX was just stupid, back when what Microsoft knew about security was that it was towards the back of the dictionary. There's no fundamental difference in security between Java, Flash, and Javascript.

              Moreover, plugins and Javascript have different purposes. Plugins are what I install in my browser to

        • by Ksevio ( 865461 )

          Any third party JavaScript, however, is quite often pretty close to spyware/malware,

          Many sites use third-party javascript libraries such as jquery or will host javascript files on a CDN. That doesn't make them close to malware.

      • And you do realize that javascript is not the same as either Java or Flash in this regard, right?

        As to javascript, well, by now I'm sure many of us are only allowing after we whitelisted. My browsers reject it by default and have to have it enabled.

        But letting Java plugins and Flash plugins run without prompting has been a security hole for a very long time by now. it's not like people haven't known about it .. it's right up there with the stupidity of Windows doing an autorun of "hey, you put in a devic

        • In 2014 you are a very unusual person who bothers to whitelist for javascript. You may be the last man standing to do that.

          • by Anonymous Coward

            In 2014 you are a very unusual person who bothers to whitelist for javascript. You may be the last man standing to do that.

            You obviously have forgotten about NoScript's userbase.

            If we're talking about first party javascript, you may have a point.

            • by tepples ( 727027 )
              I think the point is that NoScript's userbase is "very unusual" among the entire WWW client population.
          • You may be technically correct. I'm sitting in my chair right now, so I'm not standing.

    • Any code that doesn't await the user's consent before running is malware, and should be handled as such by any means available.

      That's overly broad. I run NoScript, and I like the idea of a world without JavaScript-based ads (or any unjustified use of JavaScript, ideally) but I'd hardly call such adverts 'malware'.

    • Why stop there? How about click-to-play for Javascript?

      My point is that Javascript, Java and Flash are meant to run in a sandbox. They are all equally vulnerable to such bugs.

  • Comment removed (Score:5, Insightful)

    by account_deleted ( 4530225 ) on Thursday October 16, 2014 @10:10AM (#48159111)
    Comment removed based on user account deletion
    • Maybe, and I mean this as a real MAYBE, they learned something from those vulnerabilities...

    • No, those were just Photoshopped in.

       

  • Comment removed based on user account deletion
  • Konqueror already had this when I started using it in 2006.

  • Click to Play is great for the public web but it is important to remember that there is a huge darknet of private intranet sites as well. Click to play breaks a lot of Java intranet applications that assumed that the applet would load at page load time without any user interaction.

    • Click to Play is great for the public web but it is important to remember that there is a huge darknet of private intranet sites as well. Click to play breaks a lot of Java intranet applications that assumed that the applet would load at page load time without any user interaction.

      Know whose problem that is? The owners of those private intranets and applications.

      Make the default click to play. If companies have stuff which is broken by that, change the setting and accept the general security risk when you

      • by brunes69 ( 86786 )

        Sounds great. So are you going to volunteer the 10 million dollars to re-write the applications?

        • No, that's the problem of the companies who own these apps. But it's not my problem.

          But making the overall internet less secure to account for the people who own these apps? Like I said, dumb.

          Make the default click-to-play. If people or corporations want to override that, then they can assume the risk.

          Making it insecure by default to accommodate corporations is stupid. There's already settings on my work IE that I can't change myself, so this is a solved problem. Corporations already manage those setti

    • whitelisting

      a wasp stung my hand so my posts are short today but that says it all

  • I hate the powers that be who decided to get paid for advertising by infesting the world with malware. No doubt some people are making money and others are losing it in huge quantities.

  • a zero day vulnerability http://en.wikipedia.org/wiki/Z... [wikipedia.org] does not become less zero dayish because you need to click to execute it. This is some executive who has misunderstood what his underlings actually do, and what they mean when they say they are dealing with a zero day issue.
    He ends up being right, for all the wrong reasons, and he is just saying words he doesn't fully comprehend.

  • The reality of the Java situation is that it's not just consumers hosing their machine by visiting a website hosting an exploit. There are tons and tons of crappy internal Java applications running in businesses everywhere. A lot of them are poorly documented, or the developer isn't there anymore, or the consulting company who wrote it wants a million bucks every time you want a change. Like it or not, Java is the language of large business...I'm sure we're going to be talking about J2EE in 40 years the sam

    • You seem to be confusing some very different issues: Java code running in J2EE on servers, and users running Java applications on their client machines.

      For sure Oracle totally screwed up their client machine warnings to users, and I'm still not convinced they have got it right, its nearly impossible to understand Oracle's documentation or make it work as advertised.

      On the other hand, servers aren't particularly vulnerable to most of these exploits because they assume you already have the ability to run the

      • The thing about J2EE was to illustrate that Java is everywhere. Most of those J2EE systems have a Java applet-based front end provided by the same consulting company that wrote the back end. Hence, million-dollar change orders to get it to support something other than JRE 1.6.51 running on IE 6 (as an example.)

  • Enough said ...

    • by cshark ( 673578 )

      Translation: I'm upset that people are still using Java, when Flash is clearly a superior platform.

  • Click to play is only small roadblock, its no different then click to install and we all know how well that roadblock has worked. Users must be far better educated "Nothing is safe" should be the theme of the internet and all computer programs. And we cant count on Microsoft or Adobe or Google to tell us the truth. And each of theses have been fined triple digit millions of dollars for breaking the customers trust or in one way or another.

Avoid strange women and temporary variables.

Working...